KB40559 - JSAM, Premier Java RDP (Hob) and other Java applets that are accessed via Pulse Connect Secure (PCS) solution fail to launch due to SSL handshake error when High Cipher is selected

Information

Last Modified Date

7/20/2017 5:47 PM

Synopsis

JSAM, Premier Java RDP (Hob) and other Java applets that are accessed via PCS device (running 8.1R11.1 or higher, 8.2R8 or higher and 8.3R1 or higher versions only, earlier versions are not impacted by the issue described in this article) may fail to launch due to SSL handshake error if the PCS device has been configured with 'High' Cipher Suites

Java Client Delivery functionality of PCS which is used to launch various client components (such as Host Checker, Pulse Client, etc) may fail to launch with below message in the Java console

Note: These are generic failure messages that may appear due to different underlying root cause. However this article only applies if you are running a PCS software version mentioned in the article AND your PCS gateway device only allows 'High' ciphers for TLS (https) communication

Screenshot1: Java Console output when an end-user experiences this issue

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

Screenshot2: Error when launching Premier Java RDP (Hob) applet

Cause

This interoperability issue arose as an unintended side effect of the mitigation for SWEET32 (CVE-2016-2183) as described in SA40312

As part of the mitigation Pulse Secure has moved the 3DES cipher from the 'High Cipher' to 'Medium Cipher' predefined cipher list and Oracle JRE client by default does not support any cipher in Pulse Secure's predefined 'High Cipher' list, thus resulting in https communication error when connecting to PCS devices configured with 'High Ciphers'. Details about this specific Oracle JRE limitation are available at this Oracle website under the section labelled 'Import Limits on Cryptographic Algorithm'

Solution

This interoperability issue can be avoided by either configuring the PCS gateway device to allow https communication using a cipher that is support by the default Oracle JRE client or by Installing the JCE files (Oracle's Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files) on each end-user machine.

Option1: Configuring the PCS gateway device to allow https communication using a cipher that is support by the default Oracle JRE client

Login to PCS admin console

Navigate to System > Configuration > Security > SSL Options

Either select the predefined cipher list labelled 'Medium' or select Custom Cipher SSL selection and then add the medium strength ciphers as shown in the screenshot below

Screenshot from 8.1Rx

Screenshot from 8.2Rx:

Note: In 8.2Rx if you are using Custom SSL Cipher option then ensure you have manually added the ciphers that the JRE client supports (for example the AES-128 bit ciphers)